jtcsv 2.2.6 → 2.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/json-save.js +8 -3
- package/json-to-csv.js +8 -3
- package/package.json +1 -1
package/json-save.js
CHANGED
|
@@ -21,17 +21,22 @@ const {
|
|
|
21
21
|
*/
|
|
22
22
|
function validateJsonFilePath(filePath) {
|
|
23
23
|
const path = require('path');
|
|
24
|
-
|
|
24
|
+
|
|
25
25
|
// Basic validation
|
|
26
26
|
if (typeof filePath !== 'string' || filePath.trim() === '') {
|
|
27
27
|
throw new ValidationError('File path must be a non-empty string');
|
|
28
28
|
}
|
|
29
|
-
|
|
29
|
+
|
|
30
30
|
// Ensure file has .json extension
|
|
31
31
|
if (!filePath.toLowerCase().endsWith('.json')) {
|
|
32
32
|
throw new ValidationError('File must have .json extension');
|
|
33
33
|
}
|
|
34
|
-
|
|
34
|
+
|
|
35
|
+
// Block UNC paths BEFORE path.resolve() to avoid network lookup timeouts
|
|
36
|
+
if (filePath.startsWith('\\\\') || filePath.startsWith('//')) {
|
|
37
|
+
throw new SecurityError('UNC paths are not allowed');
|
|
38
|
+
}
|
|
39
|
+
|
|
35
40
|
// Get absolute path and check for traversal
|
|
36
41
|
const absolutePath = path.resolve(filePath);
|
|
37
42
|
const normalizedPath = path.normalize(filePath);
|
package/json-to-csv.js
CHANGED
|
@@ -427,17 +427,22 @@ function preprocessData(data) {
|
|
|
427
427
|
*/
|
|
428
428
|
function validateFilePath(filePath) {
|
|
429
429
|
const path = require('path');
|
|
430
|
-
|
|
430
|
+
|
|
431
431
|
// Basic validation
|
|
432
432
|
if (typeof filePath !== 'string' || filePath.trim() === '') {
|
|
433
433
|
throw new ValidationError('File path must be a non-empty string');
|
|
434
434
|
}
|
|
435
|
-
|
|
435
|
+
|
|
436
436
|
// Ensure file has .csv extension
|
|
437
437
|
if (!filePath.toLowerCase().endsWith('.csv')) {
|
|
438
438
|
throw new ValidationError('File must have .csv extension');
|
|
439
439
|
}
|
|
440
|
-
|
|
440
|
+
|
|
441
|
+
// Block UNC paths BEFORE path.resolve() to avoid network lookup timeouts
|
|
442
|
+
if (filePath.startsWith('\\\\') || filePath.startsWith('//')) {
|
|
443
|
+
throw new SecurityError('UNC paths are not allowed');
|
|
444
|
+
}
|
|
445
|
+
|
|
441
446
|
// Get absolute path and check for traversal
|
|
442
447
|
const absolutePath = path.resolve(filePath);
|
|
443
448
|
const normalizedPath = path.normalize(filePath);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "jtcsv",
|
|
3
|
-
"version": "2.2.
|
|
3
|
+
"version": "2.2.8",
|
|
4
4
|
"description": "Complete JSON<->CSV and CSV<->JSON converter for Node.js and Browser with streaming, security, Web Workers, TypeScript support, and optional ecosystem (zero-deps core)",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"browser": "dist/jtcsv.umd.js",
|